[collectd] collectd restriction

Yves Mettier ymettier at free.fr
Thu Apr 30 08:36:29 CEST 2015


Hello,

Le 2015-04-29 21:08, Stuart Cracraft a écrit :
> This is a half-hearted, strange attempt to draconianly
> say "all uid=0" is bad and feels suspiciously nannyish, big-government.

This should be configurable. Security vs Liberty.
However, if that were configurable, I would set allow_execute_with_UID0 
as false.
I explain below.

> In fact, there are many commands which require root to
> access protected files or devices and which do not have
> non-Exec collectd-generic-support but constitute invaluable
> information to have collected, graphed and alarmed on.

True

> I am surprised at the above decision and am asking
> the community how you collect root-accessible-only data
> in collectd when there no plugin exec, nor otherwise, to collectd.

You can use sudo.

Create a specific user (that will execute the Exec script) and give that 
user the right to run the command with sudo without password.

Why would I configure allow_execute_with_UID0=false ? Because the script 
to be executed by Exec plugin does not need root privileges.
Moreover, I like to script a loop to prevent Exec plugin to fork and run 
the script every minute (or whatever the interval you specified). I also 
parse the result of the command and reformat for Plain Text Protocol. 
That does not need root privilege.
The only command that need root privilege, well, you can use sudo for 
that.
And with sudo, you can also track who is doing what. Good point !

Of course, there are other ways to get root privileges on some OS.
Of course, my method does not work if your script is not a script but a 
binary that does all (including conversion of the result to Plain Text 
Protocol).

Well, that's only how I do. Not the Universal Way of Doing Things.
I'd like to hear other opinions too.

Regards,
Yves



More information about the collectd mailing list